2.1.4 Verifying Version Numbers after Upgrading

Examine the value in the Version field to verify that the component has been upgraded to 3.1 SP4.

Component

Version

Administration Console

3.1.4.27

Identity Server

3.1.4.27

Linux Access Gateway

3.1.4.27

Access Gateway Services

3.1.4.27

SSL VPN

3.1.4.27

2.2 Installing the High-Bandwidth SSL VPN Server

The key for the high-bandwidth SSL VPN server does not ship with the product because of export laws and restrictions. The high-bandwidth version does not have the connection and performance restrictions that are part of the version that ships with the product. Your regular Novell sales channel can determine if the export law allows you to order the high-bandwidth version at no extra cost.

After you have obtained authorization for the high-bandwidth version, log in to the Novell Customer Center and follow the link that allows you to download the high-bandwidth key.

3.0 Bugs Fixed in Access Manager 3.1 SP4

The following bugs are fixed between 3.1 SP3 and 3.1 SP4 releases:

3.1 Administration Console

Fixed an issue where clicking the Share Settings TABs with no configuration changes causes an IDP update to get applied

Fixed an issue in Administration Console where Linux Access Gateway updates sometimes stay in the pending state indefinitely when configuration is applied through the Apply All operation.

Fixed an issue where the Access Gateway Service Management IP address could not be configured.

Fixed a PasswordMush exception issue while accessing the local identity provider in the user store.

3.2 Identity Server

Fixed an issue where the Enhanced Smart Card method did not work.

Fixed an issue where the value of a shared secret could not be changed with a custom authentication class.

Fixed an issue to include the Identity Provider Session Timeout attribute in the assertion.

Fixed an issue to provide the ability to map a federated user with transient name identifier to a local user using the matching attribute.

Fixed an issue associated with SP Brokering where a null pointer exception is generated when logging out from the target service provider.

Fixed an issue where the login page did not pre-populate the username in the user name field after an initial login request failed.

Fixed an issue with the SAML 1.1 post profile to include the assertion consumer URL within the “Recipient” tag.

Fixed an issue where 300101032 error generated processing a SAML assertion when the “Assertion Validity Window” parameter is configured.

Fixed an issue where intruder lockouts occur in a multiple replica environment when a user grace login count is less than the number of LDAP replicas configured.

Fixed an issue where “"There are no login connections available. Please try again later." message is returned to the user after entering incorrect credentials.

Fixed an “Array Index Out of Bounds” exception which occurred while accessing an Access Gateway appliance protected resource after removing an IDP server from a 2- node cluster and applying update.

Fixed an issue when a user is not redirected to the password management servlet after authenticating to the identity provider server in an active directory environment.

Fixed an issue where the users could not access SAML Intersite transfer URL target parameter after upgrading to 3.1 SP3.

Fixed an issue where the debug logs were being printed without enabling logging into the identity provider server.

Fixed an issue where the Tomcat version was displayed on the error pages.

Fixed a potential security vulnerability issue on the identity provider login page with the localized help file frames.

Fixed a 302 redirect issue in the “Relay State” which was URL encoded after consuming a SAML response.

Fixed an issue where the password fetch method does not get executed at our SAML2.0 Service Provider while consuming an assertion from the identity provider server through the inter-site transfer URL

Fixed an issue where the user could not set a value for SAML 2.0 RequestedAuthnContext comparison except “Exact.”

Fixed an issue where authentication failed for WSFederation with SharePoint 2010 after applying 3.1 SP3 when the times for the identity provider WSFed were not synchronized. For more information, see Assertion Validity Window.

Fixed an issue where the Kerberos authentication failed when the request was proxied by an identity provider to another identity provider.

Fixed an issue where the cluster cookies did not have any secure and HTTPOnly options. These options are not enabled by default, and the web.xml options are introduced to enable these options. For more information, see Enabling Secure or HTTPOnly Flags for Cluster Cookies.

Fixed an issue where the service provider generated two SAML SSO requests, resulting in two session indexes that caused incomplete single logout.

Fixed an issue when the identity server in a cluster received a SAML 2.0 logout request where the authentication was performed on a different node.

Fixed an issue where a SAML 2.0 attribute query response did not populate the inResponseTo attribute in SubjectConfirmation.

Fixed an issue where rewriting of a path based multi homing accelerator was not working after upgrading to SP3 resulting in a 404 Not Found error.

Fixed an Access Gateway appliance crash after applying the configuration changes immediately after a purge cache when the high availability feature is enabled.

Fixed an issue associated with the Access Gateway Appliance crashing in the rewriter by changing the configuration. The rewriter configuration now works as expected with vmc restarts that are related to the Purge Cache command.

Fixed a cross site scripting issue with the embedded service provider.

Fixed a potential ics_dyn gateway process restart issue, which occurred when the system configuration was applied.

Fixed an issue associated with the Access Gateway appliance that occurred when sending duplicate range requests to the back-end server.

Fixed an issue with the Access Gateway appliance prompting for re-authentication when the password management touch file was enabled, despite the user running a valid session.

Fixed an issue where the Access Gateway appliance did not do a complete TLS handshake during the health check to the back-end server.

Fixed a random Access Gateway appliance crash that caused while updating the configuration with a new protected resource when upgrading from 3.1.2 IR2 to 3.1.2 IR3.

Fixed an issue where the SAML authorization response did not include the authorization request when authentication to the identity server fails.

Fixed an issue with Range requests where the Access Gateway Appliance sends the same request twice to the Web server, resulting in random server crashes.

Fixed an issue where Access Gateway Appliance crashes when the Web server sent content-length response header value smaller than the actual content.

Fixed a login issue in the cluster environment with Access Gateway Appliance when the user name contained double byte characters in it.

Fixed an issue with the OpenHRE login page. If the value for the form number was configured as 0 in the Form Fill policy, the login page was truncated.

Fixed an issue where random process restarts occurred in SP3.

Fixed an issue in the authorization policy with multiple LDAP OU evaluation failures after upgrading from 3.1SP2 to 3.1SP3.

Fixed an issue where the /var/novell/.disableWSHealth touch file was not working. This touch file helps avoid the device health being marked as bad because of some unreachable Web servers. For more information, see disableWSHealth

Fixed an issue where the user’s private information was getting logged to the soapmessages log file under specific configurations.

Fixed a 403 forbidden issue that resulted when the user posted large data (more than 56 KiloBytes in size) after a session timeout. The Administrator can change the post data parking size limit. For more information, see ParkingSizeInKiloBytes

Fixed an issue where the source port of the connection to the Web server was incorrect in the ics_dyn.log file.

Fixed an issue where the Access Gateway Appliance crashed while being redirected from http to https when the host name header exceeds 4k bytes.

If you have two contracts, and the Overwrite Real User option is enabled for one of them, the first user authentication does not overwrite the second user authentication. It displays the following error message:

If the IP address and DNS servers are configured statically on MAC Leopard and a successful SSL VPN connection is established, the DNS resolution fails to use the DNS server IP address pushed from the SSL VPN server.

When you install the Administration Console and the Identity Server on a Windows 2008 machine, you cannot completely uninstall the components. The uninstall program hangs before it cleans all the files and the registry entries. To workaround this issue, see../../readme/accessmanager_readme_sp2_ir3.html#br1og3r in the Novell Access Manager 3.1 SP2 IR3a Readme.

4.6 Error while Uploading Large Files to an IIS 7.x Back-end Web Server through the Linux Access Gateway Appliance

4.8 OR Condition Rules Are Not Getting Updated Second Time

Using Brokering tab when you create rules for the role conditions first time, it will be displayed appropriately and the second time when you want to modify the existing role with OR conditions then the same is not updated and displayed.

To workaround this issue, delete the existing created role condition and recreate a new role condition.

4.9 The SP Brokering Functionality Does Not Work with Shibboleth IDP as the Origin IDP

If you try to access the Brokering URL after configuring an SP Brokering group with the Shibboleth Identity Provider, it fails to access the target application.

4.10 Service Unavailability Caused by a SLES 11 Issue

Because of an issue, the operating system returns the 27.0.0.2 entry when the hostname is resolved. This causes the 127.0.0.2 to be the default address of the listener when the device is added to the cluster.

To workaround this issue:

Go to the proxy service page. Change the listening IP address to the other cluster member, then select the correct IP address again.

If the IP address and DNS servers are configured statically on MAC Leopard and a successful SSL VPN connection is established from it, then the DNS resolution fails to use the DNS server IP address pushed from the SSL VPN server.

5.0 Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.